This post is part of the overall MS-500 Exam Study Guide. Links to each topic as they are posted can be found here.
This post will cover the following exam topics listed under the “Manage Data Privacy Regulation Compliance” section:
- Plan for regulatory compliance in Microsoft 365
- Review and interpret GDPR dashboards and reports
- Manage Data Subject Requests (DSRs)
Plan for Regulatory Compliance in Microsoft 365
There are a lot of considerations to take into account when migrating data to any cloud service, Microsoft 365 is no different. To help us to stay compliant to the different regulations our organization may be subject to. Some of the controls are already in place on the Microsoft side and no action is required by us, however some of the controls must be met by us using the technologies available. In this section of the study guide we will be looking at how we use the following technologies to ensure we remain compliant:
- GDPR Dashboard
- eDiscovery / Data Subject Requests
- Compliance Manager
- Compliance Reports
- Compliance Manager Assessments
Review and Interpret GDPR Dashboards and Reports
To get started with the GDPR Dashboard, open the Office 365 Security and Compliance Center and open “Data Privacy” -> “GDPR Dashboard”.
Here we have access to the GDPR toolbox, Create a DSR (Although we will do this in the Compliance Center later in this post) and some reports on compliance related items such as DLP policy matches. Within the GDPR toolbox in particular we have the following functionality available (These are mostly just shortcuts to other areas of the compliance suite):
- Discover – Items relating to scanning and/or locating data
- Import Data – Navigates to the import data wizard
- Find personal data – Navigates to Content Search
- Govern – Items relating to classification of data
- Auto-Apply Labels – Navigates to the Retention Label Policies
- Disposition – Navigates to the Retention Label Policies
- Use Compliance Manage – Navigates to the Microsoft 365 Service Trust Portal Compliance Manager*
- Protect – Items relating to protecting against data loss
- Create a Data Loss Prevention Policy – Navigates to the DLP section
- Apply cyberthreat Policies – Navigates to the Defender for Office 365 Policy configuration
- Monitor & respond – Items relating to tracking data and behaviour in the tenancy
- Respond to DSRs – Navigates to the Data Subject Request case wizard
- Respond to legal investigations – Navigates to eDiscovery
- Set up alert policies – Navigates to the Alert Policies section
- View Reports – Navigates to the Alert Policies section
- Visit Service Assurance – Navigates to the Service Assurance page
*The version of Compliance Manager in the Service Trust Portal is replaced by Compliance Manager in the new Microsoft 365 Compliance Portal which we will look at in the next post.
Manage Data Subject Requests (DSRs)
To create a Data Subject Request (DSR) for a user, rather than using the option in the toolbox above, navigate to the Microsoft 365 Compliance Portal and open the “Data Subject Requests” page under the “Solutions” section.
From here, click “create a case” to get started, then give the case a name and description.
Next, select the person the request relates to.
Finally click save to finish.
When the case is created, open it from the DSR page by clicking the “Open Case” option. Here we see an eDiscovery Case has been created for contents relating to the user. We can follow standard eDiscovery steps to create an export of the data associated.
Here we have looked at GDPR tools that can help us stay compliant and respond to DSR requests. In the next post we will dive into Compliance manage and see how we can use that to review our current status and create assessments to ensure we align with regulations. For now, more information on the topics covered here at the below links:
Service assurance in the Security & Compliance Center – Microsoft 365 Compliance | Microsoft Docs
General Data Protection Regulation – Microsoft GDPR | Microsoft Docs
Data Subject Requests for the GDPR and CCPA – Microsoft GDPR | Microsoft Docs
One thought on “Study Guide Series: Exam MS-500 – Manage Data Privacy Regulation Compliance (Part 1)”
Pingback: Study Guide Series – Exam MS-500: Microsoft 365 Security Administration – Sean McAvinue